2

I was asked to implement a new feature in a piece of our software for users to be able to schedule themselves for deletion (we auto-remove expired users with an automated overnight process). If a user wants to be deleted, they can click a button in their profile screen to be deleted within the next 24 hours (in the next batch).

My manager wants me to implement an "export" feature into the automated process so we can export users into our other system before they have been deleted, where they can be anonymised in there for reporting since some of our customers need to be able to report user's religions to be legally compliant in Ireland - not the user's details, just a total count of protestant vs catholic users.

He advises me that we are allowed to export their data (thus keeping their data in our other system) and still be GDPR compliant. I worry that this will actually make us non-compliant since I don't feel that data needs to be added to the report or leave the system in the first place. I fear it is unethical to implement such a feature.

What can I do in this situation without putting my job security on the line? Am I allowed to refuse to do this work because I feel it is unethical or potentially illegal? If so, what precautions can I take?

EDIT: I live in the UK. Our customer is Irish

David K
  • 30,066
  • 21
  • 108
  • 140
Horkrine
  • 128
  • 1
  • 7
  • 3
    Are you from NI ? if so you may not know there are strict laws about equal treatment of both traditions not being able to prove that you treat Catholics and Protestants the same can get you into serious trouble and not just with the law – Neuromancer Jun 24 '18 at 21:49
  • 2
    See: My boss wants me to do something that might be illegal – Bernhard Barker Jun 24 '18 at 22:44
  • 7
    I am not a lawyer, but https://gdpr-info.eu/art-17-gdpr/ seems to say that deleting a user's data is not required if processing that data is needed "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject". That suggests to me if the count of people by religion is required by some law the customer is subject to, then it is allowed to retain that data. – aem Jun 25 '18 at 02:38
  • 2
    Regarding your concerns: "where they can be anonymised" is all that matters. As long as I can't link the Information I have to a person GDPR is satisfied. Name/Surname/Birthday/Email have to go. After that you are fine. – Shaeldon Jun 25 '18 at 06:07
  • 2
    Anonymised data is GDPR compliant and can be used for statistical analysis. – amar Jun 25 '18 at 06:53
  • The GDPR might actually conflict with other regulatory requirements in some cases. – pmf Jun 25 '18 at 11:29
  • This is 100% not a GDPR violation as you are under legal obligation to keep the data. – speciesUnknown Jun 25 '18 at 12:38
  • Maybe calling it an "export" is the wrong part. He should say, "When a user is deleted from the database, it fires a trigger to insert the anonymised user's religion into a counter table before deleting. This data cannot be tied back to a user and purely informational." That sounds better than saying, "a user is exported..." because then it implies being tied back to users. – Dan Jun 25 '18 at 14:45
  • @Dan Thats exactly my point - it is the entire user being exported from a record in System A's database, into an XML file, and then imported into System B later where a manual anonymise function must be ran. It just doesn't seem right, but the answers so far tell me it's compliant which is what I was looking for :) – Horkrine Jun 25 '18 at 15:00
  • 1
    My answer about anonymous data still applies however from what you are saying , @Horkrine , if the data is being stored for a period of time on another database whilst not anonymous until someone actually runs a function to anonymous, this could be getting into a grey area with GDPR as if the database is hacked during a time when there is non anonymous data, that is personally identifiable data which you should not have. I would IMO create an automated function which runs after the initial deletion and migration. Then at least you are covered. Otherwise I would tread carefully. – Kyle Wardle Jun 25 '18 at 15:53

3 Answers3

13

The important phrase you mentioned is:

they can be anonymised

According to the GDPR :

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Source

As long as the data is not personally identifiable, it is compliant with GDPR.

Kyle Wardle
  • 490
  • 3
  • 14
-2

You are allowed to discuss this matter with your manager's superior. I don't know that much about GDPR, but it seems obvious that people who wish to get removed from your system want to get removed from your system, so what you are asked to do might be an intentional GDPR violation, and might end up costing your company real money. That decision may very well be above the manager's paygrade.

gnasher729
  • 169,032
  • 78
  • 316
  • 508
  • 1
    Id be careful about commenting on employment issues in NI - its a very sensitive area and can get companies into trouble and not juts legal one's - you don't want to piss of the guys with simply the best tattoos or their counterparts on the other side – Neuromancer Jun 24 '18 at 22:20
-2

First things first are you a native of Northern Ireland ? I assume not.

As background NI has some very odd differences to UK law its illegal to wear football colours at work or to display team emblems. The reason is obvious when you consider the sectarian aspects of football.

There are also very strict rules of fair treatment of Catholics and Protestants break those and there will be a political ruckus and may annoy those in the “communities” with connections to paramilitary organisations.

I would

First Double check with your boss an ideally with your legal department and get it in writing.

If it’s a question of bending the rules of GDPR vs breaking the spirt of NI law I would obey NI law which I would suspect override GDPR though if its required in NI to conform to the spirit of NI law I suspect it would be ok under GPDR.

Neuromancer
  • 1,704
  • 1
  • 12
  • 18